Securing the Foundation

It’s 3:25 p.m. on any given business day. The afternoon slump weighs heavy. The Outlook inbox notification dings and the temptation to take a break from this spreadsheet is strong. It’s an email from a close coworker, “Fwd: tips for losing weight easy.” Or at least, it appears to be from a close coworker, but it includes a link to an unknown site.

To click or not to click? We’ve all been there.

But by now most of us know the signs of a phishing email. Still, what appears to be a harmless message from a friend could be the beginning of a cybersecurity breach.

Cybersecurity has been likened to storing valuables in an unguarded house — the house is the Internet and the valuables are your or an organization’s private data. For individuals, the threat is scary enough — viruses and malware that generate threatening or embarrassing emails or Facebook posts, or worse, identity theft.

But think bigger and the threat multiplies tenfold.

Power plants talk to the Internet, too. The energy sector has experienced the most cybersecurity incidents of all critical infrastructure industries in the past several years, according to federal data. But none of these attacks have been successful in taking down the grid.

“With the Internet, [hackers] can affect a wide range of customers, thousands at a time,” said Tom Ayers, chief executive officer of N-Dimension. N-Dimension provides continuous monitoring and vulnerability assessments to public power utilities. Ayers said that some of N-Dimension’s smaller utility customers have been hacked as part of a larger attack that spanned multiple utilities and networks.

Cyber attacks aimed at the grid may start small but can threaten the security of electric utility operations and, in turn, the security of the entire country’s electric grid. This has forced utilities to make cybersecurity a priority throughout their business. But as anyone with an email account knows, dangers can lurk just a mouse-click away.

“Cyber threats can be initiated from the far reaches of the world by actors with malicious intent placing malware onto vulnerable systems — and they are increasingly demonstrating their ability to do so, even in the United States,” said Nathan Mitchell, senior director of electric reliability standards and security at the American Public Power Association. “We must continue to deploy and improve the cybersecurity tools used to defend against these threat actors.”

Critical infrastructure industries including electricity are handling cybersecurity much like individuals do, but on an exponential scale. Imagine that spam blocker on your email account as a virus and malware detection system that alerts grid monitors and provides automatic remediation. Envision your email or computer password as not only a lock but a security system that monitors network traffic for malicious activity and actively blocks intrusions as they are detected.

The energy industry is also utilizing collaboration to bring consistency to monitoring and detection and keep everyone in the loop on the growing and quickly evolving array of threats to the grid.

Secure and smart from the start
The energy sector faces threats including data theft, denial of service attacks, website defacement, and privacy breaches, or worse, operation, where attacks target the generation and delivery of power.

With the proliferation of smart grid technologies, being cybersecure has become a complex challenge.

“With smart grid technologies being deployed, utilities are adding connected devices in their substations, on their distribution and transmission network, and finally meters at the home,” said Benjamin Beberness, chief information officer at Snohomish Public Utility District in Washington. “All of these devices need to be secured. To do that, we are making sure that security is baked in from the beginning.”

Snohomish has established a smart grid lab, which allows the utility to test its new equipment across the full spectrum: from SCADA systems to meters. “This also helps us secure and test our equipment before it goes out into the field,” said Beberness.

According to a new report by Dell Security, cyber attacks on SCADA systems doubled last year, and they have increased 600 percent since 2012.

Utilities are threatened by outsiders — like hackers and hackivists with ties to foreign governments and organized crime — and insiders, such as disgruntled employees. Both employees with malicious intent and employees with no malicious intent who do not follow security protocols closely, or are not aware them, pose a threat.

“The riskiest thing we see is people bringing in their own USBs,” said N-Dimension’s Ayers.

“The expansion of the internal attack surface has required us to look at tools that help us understand what is going on within the walls and training our staff to understand how everyone plays a role in securing our utility,” said Beberness. “Our goal is that we not only have a culture of safety but a culture of security.”

The risk is such that it only takes one person or one click to let in a threat, said Paul Crist, vice president of technology services and chief technology officer for Lincoln Electric System in Nebraska.

“It only takes one user in your company to click on something bad,” Crist said. He said there has been an increase in spear phishing incidents — or a malicious email that appears to be from someone you know, but isn’t — particularly targeting chief financial officers and chief executive officers. The hacker wants to steal financial information from the computer and connected company networks.

In addition to training employees to do things like look for suspicious emails or lock their computers when they are away from their desks, Lincoln Electric System has installed email filtering software that blocks suspicious emails and overwrites all URLs included in an email.

“The service masks the URL and sends it through their system first to verify the link is safe,” said Crist.

Lincoln Electric System also hosts “reboot Thursdays” where all computers connected to the corporate network are rebooted to have new security patches installed.

“One of the things we are ramping up is data loss prevention,” said Crist. “That is where you are looking for data moving that is abnormal and you flag it or block it until it is validated.”

Collaboration: Power combined
Lincoln Electric System is part of a pilot program supported by the Department of Energy which involves additional network activity monitoring and rigorous analysis. The program also shares what it finds automatically with all of its participants. The program involves the gas, oil, and electric sectors.

DOE’s pilot is one of several government-led efforts to encourage the sharing of threat information. Another is the Electricity Information Sharing and Analysis Center. The electricity industry just exercised the E-ISAC’s information sharing capability in a mock cyber and physical attack called Grid Ex. APPA participated in the drill’s third incarnation.

Another valuable resource is the Industrial Control Systems Cyber Emergency Response Team monthly newsletter operated by the Department of Homeland Security. In the newsletter, ICS-CERT shares all security breaches reported by critical infrastructure owners in the United States, without naming the entities that have been threatened or attacked.

The Cybersecurity Information Sharing Act, which recently passed in the U.S. Senate, is a legal attempt to institutionalize information sharing among private entities, nonfederal government agencies, state, tribal, and local governments, the public, and entities under threat, including utilities.

In a joint letter, trade associations including APPA, the National Rural Electric Cooperative Association and Edison Electric Institute encouraged legislators to approve the act. The bill will facilitate and encourage more open communication between agencies, the power sector and other critical infrastructure owners to bolster cybersecurity defense, the groups said in support of the bill.

Despite the many existing ways the industry communicates and shares information about cybersecurity, there is still room for better government-industry cooperation in sharing actionable information, APPA and the other groups said.

John Bilda, general manager at Norwich Public Utilities in Connecticut, urged collaboration to go a step further than simply information sharing. “On an industry-wide level, the lack of mutual aid for cyber attacks is a growing concern,” he said. “Currently mutual aid among utilities exists for service restoration in the event of a natural disaster or other large-scale incident. The utility industry should examine the need for a similar system for cybersecurity.”

Public power is also represented at the Electric Sub-Sector Coordinating Council’s table by Kevin Wailes, administrator and CEO of Lincoln Electric System. Wailes serves as the vice chair of the ESCC. The council was formed in the late 90’s in support of NERC and its critical infrastructure protection plan. The council focuses on malicious threats as well as responding to severe storms.

“Cybersecurity is not a task that can be completed, but an ongoing process as the threats evolve and tools to address those threats mature,” Wailes said. “The industry, through the ESCC, has developed a critical partnership with the senior levels of government, facilitated by the Department of Energy and Department of Homeland Security, that supports continually improving information sharing, expanded tools and cooperation in developing solutions to achieve higher levels of resilience.”

Top 10 Cybersecurity Technologies

Vulnerability scans: Assesses endpoint devices — desktops, laptops, servers, industrial control systems, etc. — and applications for cybersecurity weaknesses. Such weaknesses may include unpatched software, open ports and services and use of default passwords. Vulnerability scans are often run once or twice a year, typically by an outside third party. A newer approach is scans run daily.

Anti-virus/Anti-malware: Software installed on computers and servers to detect virus/malware signatures and alert users to activity. Some solutions can also provide remediation.

Access control: Controls access to information technology resources, permitting or denying the use of a system, file or access to a network by an individual or process. Access Control delivers three basic services: authentication, authorization and accountability.

Automated sharing of malware signatures: Devices that automatically share and block malware signatures as soon as they are discovered.